commafeed-api
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill performs network requests using
curl, Node.jsfetch, and Pythonrequeststo communicate with the user-configured CommaFeed host. These operations are used to manage subscriptions and retrieve user profile information, including email addresses and API keys. - [INDIRECT_PROMPT_INJECTION]: The skill processes data from external RSS feeds, which introduces a surface where third-party content could attempt to influence the agent's behavior.
- Ingestion points: Data enters the context through the
/rest/category/entriesand/rest/feed/entriesAPI endpoints defined inSKILL.md. - Boundary markers: No specific delimiters or "ignore instructions" markers are provided in the examples to isolate external feed content.
- Capability inventory: The skill includes the ability to execute shell commands via
curland perform network operations to a user-defined host. - Sanitization: The API returns raw HTML and string content from RSS feeds without specified sanitization steps in the provided instructions.
Audit Metadata